New ISA/IEC 62443 standard specifies security capabilities for control system components

The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

A new standard in the series, ISA-62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications. The standard, which is based on the IACS system security requirements of ISA/IEC 62443‑3-3, System Security Requirements and Security Levels, specifies security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.

"The standard definition of the security capabilities for system components provides a common language for product suppliers and all other control system stakeholders," emphasizes Kevin Staggs of Honeywell, who led the ISA99 development group for the standard. "This simplifies the procurement and integration processes for the computers, applications, network equipment, and control devices that make up a control system."

The new standard follows the February 2018 publication of ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products. The life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life.

Looking ahead

Another key ISA/IEC 62443 standard expected to be completed in the coming months is ISA/IEC 62443-3-2, Security Risk Assessment, System Partitioning and Security Levels, which is based on the understanding that IACS security is a matter of risk management. That is, each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each organization that owns and operates an IACS has its own tolerance for risk.

For these reasons, ISA/IEC 62443-3-2 will define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels. A key concept is the application of IACS security zones and conduits, which were introduced in ISA/IEC 62443-1-1, Concepts and Models. The new standard provides a basis for specifying security countermeasures by aligning the identified target security level with the required security level capabilities set forth in ISA/IEC 62443‑3‑3, System Security Requirements and Security Levels.

ISA99 is also working on converting ISA/IEC TR62443-2-3, Patch Management in the IACS Environment, into a standard by adding normative language. The current technical report addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hot fixes, basic input/output system updates, and other digital electronic program updates that resolve bug fixes, operability, reliability, and cybersecurity vulnerabilities. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the effects poor patch management can have on the reliability and operability of an IACS.

The technical report provides a defined format for the exchange of information about security patches from asset owners to IACS product suppliers, and definitions of activities associated with the development of the patch information by IACS product suppliers and deployment of the patches by asset owners. The exchange format and activities are defined for use in security-related patches, but may also be applicable for other types of patches or updates.

For information on viewing or obtaining any of the ISA/IEC 62443 standards, visit www.isa.org/findstandards. For information on ISA99 and the ISA/IEC 62443 series of cybersecurity standards, contact Eliana Brazda, ISA Standards, ebrazda@isa.org or +1-919-990-9200.

Have an idea for an ISA standard, book, training course, conference topic, or other product or service? Send it to idea@isa.org.

Standards meetings at the 2018 ISA Leaders Conference, Montreal, Quebec

ISA112, SCADA Systems
12 October

ISA101, HMI (working groups)
15-17 October

ISA18, Management of Alarms
16 October

ISA75, Control Valves
15-16 October

ISA96, Valve Actuators
17-18 October

For more information, visit www.isa.org/isa-annual-leadership-conference

Your Thoughts

Please feel free to send your thoughts about this topic to Bill Lydon at InTechmagazine@isa.org.